Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security The Internet Worms

Cross-Site Scripting Worm Floods MySpace 321

DJ_Vegas writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community. According to BetaNews, the worm's code utilized XMLHTTPRequest - a JavaScript object used in AJAX Web applications and was spreading at a rate of 1,000 users every few seconds before MySpace shut down its site. Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet."
This discussion has been archived. No new comments can be posted.

Cross-Site Scripting Worm Floods MySpace

Comments Filter:
  • XSS? (Score:5, Informative)

    by mindstrm ( 20013 ) on Friday October 14, 2005 @08:28AM (#13789915)
    Is it really XSS if it's all happening at the same site? Just sayin.....

    XMLHTTP has a same-site policy... the problem here is they let users render html & javascript in their own pages on the site. If slashdot allowed executable javascript in the comments, we'd have the same problem.
    • Re:XSS? (Score:5, Informative)

      by Skye16 ( 685048 ) on Friday October 14, 2005 @08:30AM (#13789933)
      No, they don't let you render JavaScript on the site. If you RTFA, he split the word "java script" into two lines, hid it in a CSS tag, and IE read it anyway. MySpace has stripped out tags for at least a year and a half.
      • Re:XSS? (Score:3, Informative)

        by Skye16 ( 685048 )
        Goddammit, this is what I get for not previewing.

        "he split the word 'JavaScript' into two lines", and "MySpace has stripped out JavaScript and <script> tags for at least a year and a half"
      • by benhocking ( 724439 ) <benjaminhocking&yahoo,com> on Friday October 14, 2005 @08:38AM (#13789986) Homepage Journal

        In the past, I've been of mixed feelings with IE correctly rendering the "intent" of a web-designer when the web-designer has created buggy HTML - this includes such things as omitting terminating tags (e.g., &ltl\li>) as well as a few other things. The result of IE doing this was that some web pages look good in IE that didn't look good in other browsers - thus encouraging more people to use IE. As HTML was being used more and more by the masses, there seemed some logic to this. Of course, one of the problems with this idea is that the designers were looking at their web-pages in IE to see if their code was written correctly.

        This story just goes to emphasize the importance of calling buggy HTML code what it is, and not trying to infer the intent of the HTML coder. Samy cleverly found a way to make "buggy code" that would get past MySpace's filter, but that would be rendered the way he intended by the browser with the majority market share.

        • omitting terminating tags (e.g., &ltl\li>)

          You seem to have been meaning to write '': just out of curiosity, did you deliberately omit the semicolon in the HTML entity for 'less than'? I ask because that (omitting the ;) is another example of what you're complaining about. :)
        • by Kawahee ( 901497 ) on Friday October 14, 2005 @08:59AM (#13790138) Homepage Journal
          This exploit isn't limited to IE, Safari also has this problem. And I'd probably attribute it to 'logical' coding
          pseudo-c code:

          if (tagname == "style" && tagtype == "text/css") {
          process_stylesheet (taginfo);
          } else if (tagname == "style") {
          switch (tagtype) {
          case "text/javascript":
          process_js (taginfo);
          break;
          }
          }


          But hopefully something less obvious that doesn't scream security flaw.
        • In the past, I've been of mixed feelings with IE correctly rendering the "intent" of a web-designer when the web-designer has created buggy HTML - this includes such things as omitting terminating tags (e.g., &ltl\li>) as well as a few other things

          I once made a comment in the Firefox forums about the difference between the way IE and Firefox interpret web pages. IE believes that everyone is an idiot and will pat the designer on the head and fix the errors without telling you what you did wrong.

        • I have a 3d party site that brands its content for us but does it using and tags. The tag is forbidden by the W3C standard

          http://www.w3.org/TR/REC-html40/struct/objects.htm l#h-13.2 [w3.org]

          Notice "Start tag: required, End tag: forbidden"

          Which is pretty unambiguous.

          That sites response to letting them know that they were putting out "Forbidden" tags was to come up with a "Compatiability Matrix" for which browsers and vesions of browsers would work with there site.

          This is unfortunately the attitude of many sites an
      • I don't care how he got the javascript to load. The fact of the matter is he got it to load. While it's Microsoft's fault for shipping a faulty browser, it's still the website's fault for not properly filtering. You can't just block the words "Javascript" and "Script" and call it good.
        • by Bogtha ( 906264 ) on Friday October 14, 2005 @09:13AM (#13790250)

          I don't care how he got the javascript to load. The fact of the matter is he got it to load. While it's Microsoft's fault for shipping a faulty browser, it's still the website's fault for not properly filtering.

          That's not the right attitude. The problem lies with web browsers that accept non-standard code.

          Malicious code comes in two flavours - code that is outright malicious, and code that is completely benign in browsers that conform to the W3C specifications, but is interpreted wrongly by some browsers to generate a malicious effect.

          The first type is easy to filter out, because you can go to the spec and see how things are meant to be interpreted, and from that determine what should be filtered out. The other type, though, is much harder to filter out, as you also need to be aware of all the little quirks and foibles of all browsers likely to be used to access your web application - something that isn't written down anywhere most of the time.

          For example, you might have written code that strips out HTML tags. That's fine, except some versions of Netscape Navigator 4.x treat entirely different Unicode characters as if they were < and >. As a web developer, you have no way of knowing about this unless you are privy to some of the most obscure browser trivia in the world, so unless you take a default deny policy and outlaw any non-ASCII characters (goodbye international visitors), you are likely to write code that is vulnerable to this attack - for Netscape 4 users.

          Now multiply that problem by all browsers in use today, and all the little quirks and deviations from spec. that they have, and you'll start to get an idea of why it's not feasible for web developers to be responsible for this problem, and why the responsibility lies at the browser developers' feet.

          • by TWX ( 665546 ) on Friday October 14, 2005 @09:34AM (#13790400)
            And because of that, I still use Netscape 3.0 Gold on GUI machines, and I telnet to port 80 on console machines...

            ;)
          • by radtea ( 464814 )
            responsibility lies at the browser developers' feet.

            Users want browsers that will render their webpages, including pages they author themselves. Because the average person is not capable of writing a web page that parses, and many tools for writing web pages generate invalid HTML, any standards-compliant browser will not render most of the web. Try running your own web pages through SP using any W3C HTML DTD and see what I mean.

            The situation is an artefact left over like a minefield from the browser war i
          • by BobPaul ( 710574 ) * on Friday October 14, 2005 @10:49AM (#13791031) Journal
            LiveJournal's cleanhtml.pl already covers multiline splits in IE. It's not like IE's interpretation of single tags split on mutiple lines hasn't been known about for quite some time.

            I completely agree that IE is the problem, but to say that this is something site administrators couldn't have been prepared for is untrue. To expect a self replicating javascript? No way. But to secure the filter to prevent multiline tags? Yes, cleanhtml.pl already does. It's known and out there already.
        • The point is that there is no way to know every possible loophole because IE is extremely buggy and nobody outside of M$ can look at the source to figure out all possible problems. Most likely the problem is so big that even with the source you couldn't figure out all the possible exploits in the time it'd take you to just write a better browser.

          How else could they block Javascript without eliminating the ability to post bits of code or psuedo-code for artistic or informational reasons? Even then it could p
    • I think the problem is that the MySpace site allows javascript to be uploaded.

      http://blog.outer-court.com/archive/2005-10-13-n73 .html [outer-court.com]

      From the perspective of XMLHttpRequest you cannot call a domain that is not the original HTML page. IE, Mozilla, and Safari implement same domain policy and having experimented it is not possible.
      • Re:XSS? (Score:5, Informative)

        by Haydn Fenton ( 752330 ) <no.spam.for.haydn@gmail.com> on Friday October 14, 2005 @09:23AM (#13790333)
        No, you can't upload Javascript to MySpace. That's the whole point.
        From what I gather, you can upload CSS tags and other non-harmful tags. However, 'Samy' managed to find out that instead of writing valid CSS code inside the CSS tag, you can simply write a Script tag (so long as you split it over two lines) and upload it that way.
        This in itself shouldn't be a problem; since the code is inside a CSS tag it should be parsed as invalid CSS code, and so there's no reason for MySpace to have blocked it.
        This is where IE comes into it, if you are using IE, IE will parse it as a valid Javascript tag anyway, and execute the code.

        This isn't really a bug in MySpace (well, technically it is now), it's more like a bug in IE which can be exploited on MySpace, or any other site which allows similar tags in which code can be 'hidden'.
        • Re:XSS? (Score:3, Informative)

          by arkanes ( 521690 )
          I suspect that IEs "dynamic CSS" JavaScript exrepssions, which can contain arbitrary JavaScript, are also a XSS vulnerability just waiting to happen. The ability to do this may have something to do with why script tags are parsed in stylesheets at all.
    • Re:XSS? (Score:5, Funny)

      by ArsenneLupin ( 766289 ) on Friday October 14, 2005 @08:38AM (#13789991)
      If slashdot allowed executable javascript in the comments, we'd have the same problem.

      Given its userbase, if Slashdot allowed this, it would have far far far worse problems. Like "if you ever read the wrong Slashdot comment with Internet Explorer, you'll leave a goatse picture on every ASP and Cold Fusion website you visit thereafter..."

  • AJAX vuns (Score:3, Insightful)

    by bloodredsun ( 826017 ) <[martin] [at] [bloodredsun.com]> on Friday October 14, 2005 @08:30AM (#13789928) Journal
    Is this the first AJAX vulnerability? Something like this would be expected in any new-ish tech that is increasing in popularity.
    • This isn't an AJAX vulnerability: it's XSS that uses AJAX to do its thing. The vulnerability itself is entirely a server side issue. Well, as far as I understand it, anyway...
      • Re:AJAX vuns (Score:3, Informative)

        by erlenic ( 95003 )
        As others have pointed out elsewhere, it was an IE issue. MySpace apparently does filter out the word "javascript", but this guy was able to use a problem in IE to split the word across two lines, and put it inside some CSS code. For some reason, IE sees fit to execute code like that.
    • AJAX is an abstract concept that describes the use of a pair of technologies, namely JavaScript and XML. It is not a "thing" that can have a vulnerability. JavaScript and XML are ALSO not capable of having vulnerabilities either, since they're just languages. The only things that have vulnerabilites in the computer-related sense are specific pieces of software.

      In this case it's a problem with IE for improperly running JavaScript where it shouldn't. Or you could argue it's MySpace's fault for not knowing
    • Re:AJAX vuns (Score:3, Informative)

      by dmh20002 ( 637819 )

      XmlHttpRequest breaks the ingrained UI idiom of 'nothing happens until I click something'. Ajax (specifically XmlHttpRequest) has some scary implications for phishing. From a post on JoelOnSoftware discussion list by 'JD'
      For example, when someone clicks a link in an email that is out phishing for an SSN and personal info, you could be half-way through the form, and think - wait, I don't want to do this. BUT, with XmlHttpRequest, your information that you've only typed into the form has already been nab
  • Aww... (Score:5, Funny)

    by Anonymous Coward on Friday October 14, 2005 @08:30AM (#13789930)
    Myspace was out for a bit? Now you've REALLY given those emo kids something to cry about.
  • by Coocha ( 114826 ) <coocha@REDHATvt.edu minus distro> on Friday October 14, 2005 @08:32AM (#13789944) Homepage
    I've got a Myspace page, because it's the most convenient way to keep in touch with some of my old classmates. I've often thought about how few practical applications these kinds of 'social networking' sites provide, aside from general time-wasting. I've also scoffed at the number of young kids who have thousands of friends, as if it's the high school popularity contest in digital form.

    So this guy found a way to win the popularity contest. I scoff at him too, though at the same time I must laud him for his creativity. If other ./ers have insight as to what kind of malicious applications his XSS could be used for, I welcome the opportunity to learn. Also, what exactly IS XSS? Cross-site (to me) indicates that the script performs a function across multiple webpages... would this refer to all the peers in the Myspace cluster?
    • Comment removed (Score:4, Interesting)

      by account_deleted ( 4530225 ) on Friday October 14, 2005 @09:14AM (#13790260)
      Comment removed based on user account deletion
      • Its amazing to me that the site was sold for $580 million. Obviously technical annoyances didn't stop him from making an insane amount of money off the whole deal.

        Oh and % is used in LIKE queries, that may be why its filtered?

        Jeremy
    • According to this article [wikipedia.org], XSS is a bit of a misnomer:
      The term cross site scripting is not a very accurate description of this class of vulnerability. In the words of XSS pioneer Marc Slemko:

      This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name.

      Check out the full article for a good descri

    • ./ers

      Nearly as amusing is this common typo for "/.ers". I hypothesize that Linux users are most prone, since typing "./" on the command line means "here" in the directory sense.

      OT as all get out, of course.

  • Go Samy! (Score:4, Funny)

    by jeek ( 37349 ) <jeek@je e k . n et> on Friday October 14, 2005 @08:33AM (#13789951) Homepage
    Go Samy! We're rooting for you over at EFnet #olsentwins!@
  • More info... (Score:5, Informative)

    by TheSync ( 5291 ) on Friday October 14, 2005 @08:34AM (#13789960) Journal
    Here is a recent paper on XSS viruses [bindshell.net]. Also there is an analysis [livejournal.com] of the specific MySpace worm.

    Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.
    • it's not really shocking that MySpace lets this sort of thing through, i've always been completly un-impressed with MySpace's design.. it's always been a wonder to me why people use it.. other than the obvious "everyone else is using it" syndrome..

      kinda reminds me of windows..
      • Are you serious? "Everyone else is using it" is *the* draw for a social networking site. Its interface is decent, and it handled the Friendster migration without the same level of outages.
    • Re:More info... (Score:2, Informative)

      by slavemowgli ( 585321 )
      Livejournal disallows Javascript (and even CSS) on their users' user info pages, but not in the actual journal entries.
    • Evidently LiveJournal and other sites take care to scrub out JavaScript in user-provided web pages, but the rumors are that sometimes people do figure out how to obfuscate their HTML enough to deliver the payload, despite the scrubbers.

      MySpace also scrubs javascript. This guy put obfuscated javascript into CSS for delivery.

    • Re:More info... (Score:5, Insightful)

      by Jerf ( 17166 ) on Friday October 14, 2005 @09:14AM (#13790258) Journal
      And it gets through because stupid programmers persist in making two mistakes:
      1. Defining "badness" instead of "goodness"
      2. Trying to "clean up" invalid code
      The first one means that you try to list all of the ways that the input can be bad. The Universe is evil and it hates you. You can't list all the funky things that it can do to you. Instead, list the good things and carefully verify that the input is good.

      For a simple, but very very real-world example, don't write a rule that says "If the password contains /, =, or \, reject it." Write a rule that says "Passwords may contain only letters, numbers, and underscores." In the first case, especially in the brave new world of Unicode, you'll never enumerate all the bad things that can happen.

      The second mistake is that once you've decided that input is bad, do not try to clean it up. The process of cleaning it up may itself make it invalid in the case of something like HTML. Just reject it with a good error message and let the user take care of it.

      If that is absolutely impossible, preferably on the lines of "you'll be fired if you don't clean it up", then at the very least, you must continue to recursively run the cleanup code until the input converges (is unchanged by the cleanup code).

      It's not that it's absolutely impossible to get it right if you don't follow these rules, it's just that it's really freakin' hard. Slashdot, for instance, does seem to manage, but it took them a few iterations and ultimately, it's a low-priority site even if it does get hacked a little. Is your program that unimportant?

      It's way, way easier to define legit HTML (specific tags, no attributes usually though it's easy to let a few specific ones through, even with a handful of specific values) than it is to create a function to take any arbitrary string and make "safe" HTML out of it.
      • Re:More info... (Score:3, Informative)

        by MobyDisk ( 75490 )
        Your concepts are right, but I see two flaws in your execution:

        1) Write a rule that says "Passwords may contain only letters, numbers, and underscores."

        Rules like this are arbitrary and cause other problems. My passwords use more than just letters, numbers, and underscores. There are lots of other characters that are perfectly valid. If you are going to define what is good, define it universally, not arbitrarily. How about all non-control ASCII characters: 32-126? It is safe but also non-restrict

  • by Dachannien ( 617929 ) on Friday October 14, 2005 @08:34AM (#13789961)
    And to think that, back in the day, people made friends by actually talking to other people.

  • Awsome (Score:5, Funny)

    by AForwardMotion ( 586699 ) * <cauze AT netscape DOT net> on Friday October 14, 2005 @08:35AM (#13789968)
    He'll probably get a lot of job offers from this.
  • by putko ( 753330 ) on Friday October 14, 2005 @08:39AM (#13789997) Homepage Journal
    Here [namb.la] is his explanation -- it goes over the transformations he had to make to the program to smuggle it past Myspace's filters.

    And here [namb.la] is his version of the story.

    He comes off as a sweet practical joker. But maybe that's just b.s. that he cooked up after he realized he might have some 'splainin' to do.

    Also, his site really is "namb.la" -- he's making some sort of joke at NAMBDLA's expense, which is pretty suspect, I think.
  • by Eric Giguere ( 42863 ) on Friday October 14, 2005 @08:39AM (#13789999) Homepage Journal

    ... it shouldn't be surprising that someone took it literally and tried to claim it all for himself.

    Eric
    William Shatner boldly goes like no man has before [ericgiguere.com]
  • samy is my hero (Score:5, Informative)

    by gr8n10zt ( 782694 ) on Friday October 14, 2005 @08:40AM (#13790006)
    The scoop from himself: http://fast.info/myspace/ [fast.info]
  • In the beginning (Score:3, Insightful)

    by Dogsbody_D ( 579981 ) on Friday October 14, 2005 @08:41AM (#13790013)
    This was bound to happen sooner or later, as MySpace repeats the history of the internet. Just look at the huge number of practically unreadable webpages with different size fonts and different colours, terribly innappropriate background images. Oh, and a load of commercial interests trying to stuff things down our throats. Loads of chicks though... ;)
    • Re:In the beginning (Score:3, Informative)

      by White Shade ( 57215 )
      there ARE lots of chicks, yes, but they're all 15 years old! (claiming to be 99, and that they're "bi", and "married" to their favourite female friend from middle school, haha)

      myspace is certainly addictive though ;)

  • by Bananatree3 ( 872975 ) * on Friday October 14, 2005 @08:42AM (#13790017)
    There is some guy's blog that has a personal interview with Samy, the writer of this "my hero" worm here [outer-court.com] ):

  • samy is my hero (Score:5, Informative)

    by zippity8 ( 446412 ) on Friday October 14, 2005 @08:42AM (#13790021)
    Turns out that he just used the fact that (not trying to start a flame war here) IE and some versions of Safari allow javascript tags within CSS.

    Samy's info on the topic (coral) [nyud.net]
    His explanation of how it works [namb.la]
  • by UserGoogol ( 623581 ) on Friday October 14, 2005 @08:43AM (#13790034)
    Thankfully, the script was written for fun and didn't try to take advantage of unpatched security holes in IE to create a massive MySpace botnet.
    FUCK! I knew I forgot to do something. I forgot to set the evil bit!
  • Didn't they use quoting?
    Maybe next time they might want to look here:
    http://shiflett.org/articles/foiling-cross-site-at tacks [shiflett.org]
  • XSS basics (Score:5, Informative)

    by flanker ( 12275 ) on Friday October 14, 2005 @08:50AM (#13790075)
    Cross-site scripting is a family of vulnerabilities that share these attributes: a) a web-site that takes and displays text (e.g. Slashdot allows you to post comments) and b) a web browser that processes javascript in webpages.

    The exploit involves placing javascript code into your posting on a website, such that when other people visit the website their browsers download your comment with the embedded javascript, which is then processed. The javascript, because it is being processed on your machine as part of the rendering of the page, can be used to exploit all sorts of vulnerabilities within browsers. When you have browsers tightly coupled with operating systems, this can open up some rather scary scenarios.

    In this case, the guy just used the vulnerability to make some relatively benign changes, but he could have just as easily exploited some of the many problems with IE to be more malicious.
  • Everyone knows that XMLHttpRequest isn't secure. Where do we go from here? Is there a way to force the object to use SSL? Is there too much overhead in encrypting and decrypting the XML data with Blowfish or another algorithm?
    • Re:XMLHttpRequest (Score:4, Informative)

      by patio11 ( 857072 ) on Friday October 14, 2005 @09:15AM (#13790267)
      What would encryping anything have accomplished, exactly? The problem isn't that someone intercepted a legitimate transfer in the middle and modified it to be evil. The problem is that one end of the legitimate transfer was compromised, and the other end of the legitimate transfer was too trusting of the input from the compromised end, and then happily passed along that input (perfectly legitimately) to other parties who were then compromised themselves.
  • by kukickface ( 675936 ) on Friday October 14, 2005 @08:52AM (#13790091)
    All your friends...All your friends...All your friends are belong to us. Its the mega-happy-funtime disco hit of 2005!
  • The Code (Score:2, Informative)

    by pturpin ( 801430 )
    Here [livejournal.com] is a link to the blog entry the article mentions that contains the code of the worm. (From Evan Martin of Google)
  • by phlegmofdiscontent ( 459470 ) on Friday October 14, 2005 @08:56AM (#13790122)
    Wait, there are unpatched security holes in IE? From all I've heard lately, it's way more secure than Firefox. How could Microsoft let this happen????
  • by Washizu ( 220337 )
    Who didn't know that place was full of STDs? (Script Transmitted Diseases)

  • My proposed "quick and dirty" solution is this.

    <script type="text/javascript">
    for (i = 0; i < 1000; ++i) {
    alert("Disable JavaScript for this site!");
    };
    alert("OK ..... Don't say you weren't warned.");
    </script>

    Now you can be sure that {almost*} nobody visiting your site has JavaScript enabled, so there is no chance of this affecting them.

    * There probably is _somebody_ _somewhere_ who really is masochistic enough t
    • Well, just remove the "++i", and you can also remove the "almost" part of your description.
      If you find a corresponding browser vulnerability, you just might switch off JavaScript with your JavaScript code, of course :-)
    • by arkanes ( 521690 ) <(arkanes) (at) (gmail.com)> on Friday October 14, 2005 @09:53AM (#13790537) Homepage
      This actually brings to mind something which has bugged me for a long time. Why the hell are JS dialogs modal?

      while (1) {alert("nope!");} Will DOS any browser in use today. You'll have to kill it via some OS level functionality, because alerts are modal and prevent interaction with the browser chrome. I understand that the JS spec is based on "run to completion", but is there any reason why JS alerts (and confirms, etc) shouldn't be model to the document canvas (disabling interaction with the canvas, but not browser chrome) rather than the browser itself?

      • while (1) {alert("nope!");} Will DOS any browser in use today. You'll have to kill it via some OS level functionality,

        Not links, any javascript dialog has an extra button "kill script". I wish the supposedly more featureful alternatives would adopt this simple improvement.

  • by British ( 51765 ) <british1500@gmail.com> on Friday October 14, 2005 @09:10AM (#13790227) Homepage Journal
    1. Embedded music videos. Anyone have a host list of the music video providers? I'd like to resolve them to 127.0.0.1
    2. Bogus accounts. There is a huge rash of "stripper" accounts, consisting of minimal user info, that messages out to single guys to get them to email them at their yahoo accounts. They typically have 4 or 5 risque pictures, making everyone think all women are whores. Bad bad bad.
    3. Myspace needs a "safe mode" where the excessively bad(bells and whistles) profiles that sodomize any web browser can be avoided.
    4. Why does clicking to one of your groups have to open in a new window? WHY? The top-bar navigation makes that un-neccessary.

    But still, myspace is better than orkut. People actually use myspace.
    • 5. Image leeches. Whenever I see a lot of hits on one of my pictures on my web site, it's because some asshole at MySpace has embedded it in his page without asking permssion, without copying it, and without giving it any attribution.

      Which is why I now have
      RewriteEngine On
      RewriteCond %{HTTP_REFERER} ^http://..myspace.com/.*$ [NC]
      RewriteRule .*\.jpg http://xcski.com/~ptomblin/leech.png [R,L]
      in my Apache configuration.
  • Since I know only about 12 programming languages and use maybe 10 libraries between them all, that makes me next to computer illiterate these days. So I didn't know what XSS was, but found this site: http://www.cgisecurity.com/articles/xss-faq.shtml [cgisecurity.com] extremely informative. Including some HEX code that looks like fun!
  • awhile back all my younger friends started bugging me to get a myspace profile. I took one look at the site, first thought was "crap design" (I'm a web/db dev), second thought was "superficial", closed window. I was just appalled at how bad it looked (despite still visiting Slashdot every day... hehe)

    All I can surmise is that the person who designed this worm is far more clever than any of the people who designed MySpace.

    I still don't have a profile on it...
  • by TheLink ( 130905 ) on Friday October 14, 2005 @09:59AM (#13790599) Journal
    Firstly it's on the same site :).

    Advogato (mod_virgule) was vulnerable to this sort of thing before (back in 2002). Won't be surprised if there were others too.

    Anyway, I've proposed years ago that there be HTML tags to turn off any active/dynamic stuff.

    Currently the HTML situation is like only being able to turn off the lights by going to dozens of switches one by one and turning them off. There is no main power switch to turn ALL the lights off, or even groups of lights off.

    I guess it's just me who thinks that the HTML equivalent of a "Big Red OFF" switch would be useful.

    e.g.
    <shieldson lock="randomstring" allowed="keyword,keyword,keyword" />
    disallowed material disabled
    <shieldsoff lock="randomstring"/>
    state restored to before lock

    Where keywords:
    textonly = just text
    basic = basic formatting <em> <b> <i> <strong>
    tables = tables
    urls= plain <a href=""> no javascript etc
    images= plain images, no javascript etc.
    java=java
    javascript=javascript.

    The idea is it will be very hard for the attacker to guess the random string.

    Oh well...
  • About (2?) years ago (Score:5, Interesting)

    by lupid ( 880820 ) on Friday October 14, 2005 @10:08AM (#13790663)
    I did this. They were more lenient with the javascript back then. You had to use escape characters, but it was no big deal. I wrote a self-propagating worm that changed a user's name to the source of my script. Then I inserted that code into my name. Everyone on myspace had their name changed to 'lupidvirus' after about 6 hours. I got a call from their lawyers the next day at work.

    Mine propagated faster than this one because it didn't rely on profile views. Anytime you saw the name, whether it be in a comment, profile, or search, you would be infected. However, with the script executing 100 times per page view, myspace's servers quickly became overloaded and crashed (I didn't really expect it to work). I also essentially staged a DDoS attack against my web server which was hosting the script (it needed to be hosted in order to fit in the 'name' field).

    Another note: myspace never removed the scripts that were saved before they outlawed javascript. To this day, I can read a user's inbox and sent messages when they view my profile. I also was going to write a DHTML roleplaying game that ran on myspace, but they locked that account because of the virus. It still plays music and lets you manipulate your inventory though =D
  • Just a question... (Score:3, Insightful)

    by strider44 ( 650833 ) on Friday October 14, 2005 @10:12AM (#13790707)
    This guy used the <div> tag to insert the javascript which slashdot also allows. Not that I'm wanting anyone to do something evil with it but I'm wondering could slashdot be susceptable to the same flaw they're reporting?
  • by Doc Ruby ( 173196 ) on Friday October 14, 2005 @10:32AM (#13790884) Homepage Journal
    After patching to fix this problem, MySpace now becomes the most immune to these types of attacks. Their software is more resistant, their team is more educated. To mix punchlines, pioneers get the arrows, but blows that do not break the back, strengthen it.
  • How he did it (Score:4, Informative)

    by Sheepdot ( 211478 ) on Friday October 14, 2005 @01:33PM (#13792472) Journal
    From the horses's mouth:
    http://namb.la/popular/tech.html [namb.la]

The Tao is like a glob pattern: used but never used up. It is like the extern void: filled with infinite possibilities.

Working...